The enterprise always loves to increase the security posture. One authentication approach enterprise takes in Azure is App registration with a
service principal. The advantage here is that the service principal can use certificates to authenticate instead of passwords. Certificates are secure than passwords as those can be centrally managed.
Problem
If our application uses the service principal + certificate and it is working fine, there is no issue. But the problem starts when something goes wrong. If we log in to the portal using our credentials and try scenarios that are failing, we may see everything works fine. But things go wrong when the application logs in using service principal. It may be a permission issue,
expired certificates or passwords, etc...
What if the problems appeared first in production where enterprises don't allow any changes to the environment. ie no debugging tools are allowed to
install etc...
Solution
The solution is to troubleshoot the scenario as close as how the application works. We
have to log in as the service principal and try the application
scenarios.
As always in enterprise the best method to troubleshoot in production environments is PowerShell. Below goes the code to log into Azure from
PowerShell using service principal and generating a JWT access token.
The
Connect-AzAccount
cmdlet provides different ways to log in. Using the service principal is one of the methods.
Please note that the Az.Accounts need a minimum of Windows PowerShell 5.1 or
PowerShell 7 version.
Once the PowerShell session is authenticated, we can perform various
operations as the service principal.
In most cases, the access token is not really required. There are PowerShell
SDKs for most of the Azure services. We can directly use them. But in some
cases like interacting with the data plane of Service Bus, we may need to use
the access token and embed it in the Authorization header of the HTTP request.
Limitations
It reads the certificate from the personal store unless loaded from a file. We
cannot pass an X509Certificate object to the Connect-AzAccount cmdlet. There
is already an issue in GitHub
to track it.
Update : 2021-10-30
What if we don't have permission to install Az.Accounts module?
Recently, I came to one production debugging situation where there is no permission to install the Az.Accounts module and even no connectivity to the internet to get the module. The only way is to write everything ourselves. Fortunately, someone had already done that and it is available publicly. If interested read the official docs.
2 comments:
Yeah. It is in open state for the last 2 years.
Hi Team, Your explanation about "Azure Enterprise - PowerShell log in as service principal + certificate and generate JWT access token" I was pleased to see. Your description of the troubleshooting scenario, as close to how the application works, and the coding you provided are helpful. It was easy to understand for me. Thanks for Sharing your Info!!!
Post a Comment